| |
|
RSS Feed - WebSphere MQ Support
|
RSS Feed - Message Broker Support
|
  |
|
| MB MQ Validation |
« View previous topic :: View next topic » |
| Author |
Message
|
| rammer |
 Posted: Wed Jun 05, 2013 3:27 pm Post subject: MB MQ Validation |
 |
|
Partisan
Joined: 02 May 2002
Posts: 359
Location: England
|
Hello All,
First of all thanks for the help on a a previous thread for MB / MQ Security.
I do have another question now that I have moved on a little for something I have seen today.
Environment
AIX MQ7.5
MB Toolkit running using channel BROKER.SVRCONN
BLOCKIP2 exit set for low user id giving +put +get +set +inq +browse +dsp to queues and conn to qmgr
MB creation carried out via user id esbuat1 which was part of mqm group
esbuat1 account then removed from mqm group
On using tooklit execution group created but complains that it can not create the SYSTEM.BROKER.AUTH.<EGROUP>
The above is fine and is documented in the info centre. As soon as I create the new alias AUTH group then MB Team can deploy without issues.
However if I add the esbuat1 id back into mqm group and MB Team then create a egroup the queue is created without issue.
The bit I do not understand is why it allows creation of queue when the channel they are using sets the mcauser to mqbkrsup which has the permissions set above, ie does not have create?
Thanks in advance |
|
| Back to top |
|
 |
| Tibor |
| Posted: Fri Jun 21, 2013 4:59 am Post subject: |
|
|
Grand Master
Joined: 20 May 2001
Posts: 1033
Location: Hungary
|
MQ authority systems is group-based on Unix, not user related. So you should check your user's membership in the groups.
Moreover you can list the authority settings, e.g.
| Code: |
| amqoamd -m <QMGR> -s |
|
|
| Back to top |
|
|
| hughson |
| Posted: Thu Jun 27, 2013 1:19 am Post subject: Re: MB MQ Validation |
|
|
Padawan
Joined: 09 May 2013
Posts: 1959
Location: Bay of Plenty, New Zealand
|
| rammer wrote: |
esbuat1 account then removed from mqm group
On using tooklit execution group created but complains that it can not create the SYSTEM.BROKER.AUTH.<EGROUP>
However if I add the esbuat1 id back into mqm group and MB Team then create a egroup the queue is created without issue. |
Is it possible that the user esbuat1 is the user ID used to attempt to create the SYSTEM.BROKER.AUTH.<EGROUP>?
If you look at the authority event, or even just the error message generated as a result of this you should see the user ID being used. Is it the user ID you expect?
Cheers
Morag
_________________
Morag Hughson @MoragHughson
IBM MQ Technical Education Specialist
Get your IBM MQ training here!
MQGem Software |
|
| Back to top |
|
|
| rammer |
| Posted: Thu Jun 27, 2013 1:31 am Post subject: |
|
|
Partisan
Joined: 02 May 2002
Posts: 359
Location: England
|
Thanks for the responses. I will start looking at testing on this environment after next weeks holiday and will feed back results
Thank you for taking the time to respond |
|
| Back to top |
|
|
|
|
|
| |
|
Page 1 of 1 |
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
|
|
